ipfw and ipv6: "me"
Ivan Voras
ivoras at freebsd.org
Mon Sep 5 14:57:52 UTC 2011
On 5 September 2011 16:01, Matthew D. Fuller <fullermd at over-yonder.net> wrote:
> On Mon, Sep 05, 2011 at 02:37:08PM +0200 I heard the voice of
> Ivan Voras, and lo! it spake thus:
>>
>> There is no symmetrical "me4" option which leads me to think that
>> "me" matches only ipv4 and "me6" only ipv6.
>
> I can't answer for the code, but as far as I could tell as a user
> that's the case.
>
> (and so my firewall script is piled up with "{ me or me6 }"'s...
> sigh)
I thought so too, and AFAIK it used to work like that, but it might be that
something has changed. I have pretty conclusive evidence that the handling
has either been extended to (ipv4 or ipv6) or at least is inconsistent.
I've verified this by having these two rules:
02999 17 1360 skipto 3000 log tcp from me to any setup keep-state
03000 66661 52129939 allow tcp from me to any setup keep-state
and the logs have this:
Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP
[2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 [2001:4f8:fff6::22]:80 out
via em0
Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP
[2001:4f8:fff6::22]:80 [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 in
via em0
Sep 5 14:31:53 element kernel: ipfw: 2999 SkipTo 3000 TCP
69.147.83.34:80 xxx.xxx.xxx.xxx:38991 in via em0
So "tcp from me to any..." appears to match both... which would be
fine, but then how do we match ipv4 only?
More information about the freebsd-net
mailing list